Mobile device forensics: threats, challenges, and future trends

Mobile device forensics: threats, challenges, and future trends

CHAPTER Mobile device forensics: threats, challenges, and future trends 5 Josh Brunty Marshall University, WV, USA INTRODUCTION The mobile device, ...

1MB Sizes 0 Downloads 96 Views

CHAPTER

Mobile device forensics: threats, challenges, and future trends

5 Josh Brunty Marshall University, WV, USA

INTRODUCTION The mobile device, in many respects, has profoundly changed the way people of the world communicate, interact, conduct business, and share information to their network of friends and colleagues. In many cases, it has rivaled, if not surpassed, the innovations seen at the beginning of the personal computer (PC) revolution of the 1980s and 1990s. It is the catalyst of technological innovation of the 21st century, forcing software and hardware manufacturers to develop around mobile technology. Moreover, it connects multiple platforms, such as Internet, social media sites, television, and even radio into a single device. The mobile device has also evolved ready access to “big data” and the “cloud. ” These once massive online databases are now readily available and searchable through usage of apps and other integrated features within the mobile device. As such, the mobile device hardware and software developers are the greatest beneficiary of this so-called paradigm shift in how people interact with one another and with data as a whole. The proliferation and sustained growth of social media applications instantly pushes current events and social and cultural issues to these devices, allowing people to discuss their views and intentions in virtual anonymity. Consumers are turning to mobile devices in increasing numbers as their primary source of communication and information due to their high degree of portability, privacy, and functionality. These changes, both hardware and software, whether they be as subtle as a security patch or software version upgrade, or a new release of hardware, can significantly impact the processes of the mobile forensic examiner. As such, an examiner must be keenly aware of industry trends, new releases, changes, and the challenges they pose in the course of an investigation.

THE HARDWARE VERSUS SOFTWARE COMPLEXITY TREND Ninety percent of American adults own a cell phone, with 64% of this number owning a smart device (Pew, 2013). In the mobile device world, the perception of innovation is what drives most of these consumers to a specific device. The need

69

70

CHAPTER 5  Mobile device forensics

Table 5.1  Market Share of Mobile Operating Systems (Gartner Media, 2014) Google Android Apple iOS Windows Phone Blackberry OS (RIM)

76% 14% 0.3% 0.3%

to own the newest and most-effective features is important to most. This drive of competition is what is pushing the market of the major developers and manufacturers. According to Forbes, most customers look for the following features in selecting mobile device hardware: • • • • • • •

A more durable, faster, yet thinner hardware device. A larger, hi-def capable LED touchscreen A device capable of recording HD video and still images High-capacity storage to store more multimedia content Improved battery life Enhanced GPS technology Better device security and encryption

These features give some indication of what hardware challenges and possible evidentiary benefits may lie ahead for the mobile forensic examiner. In respect, increased device security through implementation of better encryption may make it harder to extract evidentiary data from smart devices, but in the same token, increased video and storage capability may yield more high-resolution video evidence that has probative value to a case. Many consumers and mobile device forensic examiners alike can concur that there is value in understanding hardware, but hardware is heavily dependent on the type of operating system it is running. For the first time, mobile device markets are pushing mobile device operating systems in the same element as their hardware counterparts. Current statistics show the market-share distribution of mobile operating systems on hardware devices (Table 5.1). It is implied by the above chart that Android and iOS will likely be the operating system that will most likely be encountered by the mobile examiner. This assumption is validated by the annual growth statistics (Table 5.2).

Table 5.2  Annual Growth of Mobile Operating Systems (Gartner Media, 2014) Google Android Apple iOS Windows Mobile Blackberry OS (RIM)

77.83% 17.8% 2.94% 0.72%

Cloud services and mobile platforms – inherent vulnerabilities

These industry trends, it seems, should make the examiner place heavy focus on the two major players in mobile OS market: iOS and Android. Unique combinations of hardware and OS may play significant change in how that device is examined. For instance, an iPhone 5s running iOS 8 may be significantly easier to bypass passcode and extract information than the same hardware device running the newly released iOS 9. Thus, a firm understanding of industry trends in hardware and software is imperative to remain an effective mobile device examiner. Workarounds are constantly being developed and released my mobile forensic vendors. Proactively staying abreast of these changes will not only make it easier to identify such threats and challenges, but also how to approach these challenges and threats. The following subsections seek to point out some of these emerging threats and trends and how they may affect mobile device forensics.

CLOUD SERVICES AND MOBILE PLATFORMS – INHERENT VULNERABILITIES The emergence of cloud-based services on mobile device platforms has shifted the paradigm of “where” data may be located. Pertinent digital evidence can be synced to other devices, including other computers, or cloud-based storage accounts such as Dropbox, Box, or Google Docs. Currently, all major mobile device vendors offer cloud services for their operating systems (Table 5.3). In the same token, this offloading of personal and business data from the mobile device to offsite servers maintained by these cloud services created the potential for an individual or organization’s data to be compromised. To exemplify, in early 2015 hackers gained access to the iCloud accounts of a handful of celebrities including Jennifer Lawrence, Ariana Grande, and Kate Upton, and released nude photos and other personal information of these celebrities (Hein, 2014). Apple’s Find My iPhone (iCloud) login page was discovered to have been vulnerable to so-called “brute force” hacks. In most cases, hackers are usually locked out of sites if they try to gain access using multiple passwords, but it was discovered that the Find My iPhone API allows users to repeatedly try different passwords. Hackers used this brute-force method, along with the forensic application Elcomsoft Phone Password Breaker (EPPB) to break into and fully download all data stored within these celebrities’ iCloud account (calendar, photos, email, etc.) (Hein, 2014). This incident alone stresses not only the importance of examiner education to investigate and reverse-engineer such Table 5.3  Cloud Services by Mobile Operating System Google Android Apple iOS Blackberry (RIM) Windows Phone

Google Drive iCloud Blackberry Cloud Microsoft OneDrive

71

72

CHAPTER 5  Mobile device forensics

threats if they occur, but also user awareness education to mitigate such potential threats that may not even be known to the community yet. The importance of user security awareness training at all levels cannot be understated. Many advanced persistent threats (APT), which in this case, include those threats to mobile cloud-based services, commonly leverage social engineering, and/or backdoor tactics to entice user intervention at some level, and if not requiring user intervention, exploit a weak vulnerability allowed by the mobile device, such as a simple password. The presence of strong corporate policies regulating BYOD (bring your own device) and personal cloud services may save investigative headache down the road for the mobile forensic examiner.

THERE IS AN APP FOR THAT – FORENSIC CHALLENGES AND THREATS WITHIN APPS Apps are being pushed out and installed to mobile devices at an almost feverish pace. Grassroots and high-level developers have the ability in both Android, iOS, Windows, and Blackberry to market apps to users through comprehensive, cloud-driven marketplaces (Table 5.4). It has long been assumed within digital forensics and information security that inherent vulnerabilities existed in the various app stores itself. The Google Play store, formerly known as the Android Marketplace, has, from its beginning, allowed users to install nonverified apps onto their devices. This fact, coupled with the cloud-based model of user data being stored and replicated in virtual servers, is certainly a recipe for disaster. In the same respect, Apple, who touted a virtually flawless and impenetrable app-store model, found vulnerabilities of their own in September, 2015. A malicious program, dubbed XcodeGhost, hit hundreds of Apple iOS apps, including products from some of China’s most successful tech companies used by hundreds of millions of people. Palo Alto Networks, a U.S. internet security company, that spotted the problem stated that an attacker could send commands to infected devices that could be used to steal personal information and, in theory, conduct phishing attacks (Finkle, 2015). The hackers targeted the App Store via a counterfeit version of Apple’s Xcode “toolkit” which is the software used to build apps to run on its iOS operating system. The tainted version of Xcode was downloaded from a server in China that developers may have used because it allowed for faster downloads than Table 5.4  App Marketplaces by Vendor Google Android Apple iOS Blackberry Windows

Google Play App Store Blackberry World Windows Phone Store

There is an app for that – forensic challenges and threats within apps

using Apple’s U.S. servers (Carsten, 2015). This incident and threat alone justifies the inherent need for digital forensic and information security professionals to be well versed on application deconstruction for the possible presence of such malware on mobile devices. Although limitations may exist, say for example, in obtaining a full physical image (via JTAG, chip-off, or other hardware methods) over a logical image of a mobile device for such purposes, the recognition of the threat of tainted apps from app providers should be considered by those tasked with identifying and/ or investigating such threats. In most cases, apps are usually installed based upon the user’s need to utilize a certain app. Although in some cases, the app may be included in the original installation of the mobile operating system. For the mobile forensic investigator understanding (1) what data might be generated within these apps and (2) how to extract such data is of the utmost importance. The following, although not exhaustive, address the threats and investigative challenges that exist regarding data within apps.

SOCIAL MEDIA APPS Social media apps are easily the most popular and most widely used app category, and challenges and threats that exist in regards to the forensic extraction and investigation of these apps from mobile devices. Pedophiles, kidnappers, stalkers, and other criminals troll social media accounts via the apps installed on their mobile device, preying on current and potential victims. Criminals also use social media apps to upload incriminating data and brag of their criminal misdeeds. Social media can also be challenging for investigators as criminals use these apps to covertly communicate in the form of direct messages (DMs). This may prove to be challenging to the mobile forensic examiner as it requires extraction and analysis of particular SQLite or other database(s) and .plist files (Apple) in order to read such messages. One particular instance is the Words with Friends app, which, in addition to playing the actual game, allows users to interact and converse via private messages within a game. Additionally, “niche” social media apps may also prove to yield data of evidentiary value. App-driven dating sites like Tinder, Grindr, Match, and OKCupid not only allow users to unknowingly advertise themselves as potential victims, but also allow somewhat backdoor access into linked accounts. One such example is that of Tinder, which allows the user to link their Instagram account to Tinder. On one hand this may create privacy and security concerns for the user in creating a larger potential victim footprint, while in the same respect may allow additional forensic evidence to be cached within the app itself. Many use these aforementioned social media apps to stay connected with friends, family, and those with like interests, but they are also used to prey on victims that offer too much personal data to the public. This is why mobile forensic examiners should be well versed on the potential elements and pieces of evidence that may be harvested from these ever-developing apps.

73

74

CHAPTER 5  Mobile device forensics

NATIVE AND NON-NATIVE MESSAGING APPS There has been a recent steady increase in the capabilities of messaging capabilities in smart mobile devices. Native messaging apps, commonly referred to as SMS (short-message-service), enable users to send messages over a cellular network. The SMS method of messaging has existed for quite some time; however, many of these apps are now leveraging cloud features to push and/or allow simultaneous communication across multiple mobile devices and platforms. Platforms like Apple’s iMesssage will cache both sent and received messages on each device that is authenticated and is connected to the Internet. Users may also back up messages to the cloud. As an investigator, this means that evidentiary data can exist across multiple devices, and in some cases, may be more accessible or discoverable on one device over the other. To exemplify, iMessages that may be hard to get on one mobile iOS device due to encryption, passcodes, or otherwise may be easily attainable through a synced-up Macbook. In addition, full backups of native messaging databases may be available on a PC or laptop due to syncing and backup mechanisms that may have been automatically and/or manually initiated the last time the mobile device was plugged to that respective PC/laptop. Users can also send data other than SMS to include multimedia messaging service (MMS) video, photos, attachments, and even location information. Thus, it is important for the examiner to examine these potential avenues of evidence, and stay abreast on the changes made to how messaging data is transferred and/or backed up on devices. There are also nonnative apps that provide MMS and SMS-like functionality. Apps like Google Hangouts, Skype, and even free texting apps can cache data on the mobile device that might be of value to the examiner and must be analyzed as a potential source of communication. Additionally, anonymous messaging apps such as YikYak and Whisper are gaining popularity. These apps allow users anonymously to create and view messages within a given geographic radius. The nonnative app Snapchat is also ever increasing in popularity. Snapchat users can take photos, record videos, add text and drawings, and send them to a controlled list of recipients. These sent photographs and videos are known as “Snaps.” Users set a time limit for how long recipients can view their Snaps (as of September 2015, the range is from 1 to 10 s) after which Snapchat claims they will be deleted from the company’s servers and possibly the device they are stored upon. According to Snapchat in 2014, the app’s users were sending 700 million photos and videos per day, while Snapchat Stories content was being viewed 500 million times per day (Lunden & Tsotsis, 2014). As such, forensic analysis of the mobile device may be the only method of recovering potential multimedia evidence from the app.

MULTIMEDIA AND VoIP “STREAMING” APPS Historically, mobile devices have and continue to provide voice communication capabilities and functionality over the cellular network. Records of this activity can be obtained by seeking call detail records from the cellular service provider in order to verify evidence of these communications. However, this is not the only method of

There is an app for that – forensic challenges and threats within apps

voice communication on the device. Ever-increasing high-speed WiFi and 4G LTE data networks are enabling voice over IP (VoIP) apps like Skype and Google Hangouts to become increasingly popular and used on mobile device platforms. Also, streaming apps such as Livestream and Periscope can be of evidentiary value as well. The trending app Periscope is a live streaming app that is available as the mobile application itself as well as on Twitter. When connected to Twitter, Periscope users can allow other users to see links tweeted in order to view live-stream. Users of Periscope are able to choose whether or not to make their video public or simply viewable to certain users such as their friends or family. These videos can be viewed in a live realtime stream, with the replay of the stream available to viewers within the app for a period of 24 h. This ability to stream video substantiates the possibility of catching criminals engaging in criminal activity. Periscope streams depicting criminal activity such as drug use, discharging firearms, etc. have been discovered in recent months (H11, Fighting Crime with the Periscope App, 2015). One such example involved two San Diego men, Damon Batson and Carlos Gonzalez, who were arrested after posting a Periscope broadcast of their intentions to visit and hurt someone (Mejia, B. (2015)). Comments made by live viewers of the Periscope broadcast were also successful in enticing Gonzalez to discharge his weapon to prove that it was real. Both Batson and Gonzalez were arrested in connection to the live broadcast (Franzen, 2015). It is important to note that traditional call detail records from the cell service provider will reveal no evidence of the use of the aforementioned VoIP apps on a given device; therefore investigators should be aware not only of the capabilities of such apps, but also the volatile and nonvolatile data if not retained, could be lost. Therefore mobile examiners must look at these VoIP apps as a potential source of communication and know-how to extract any residual data from these mobile apps. In addition, the examiner will be able to reconstruct all communication channels on a given mobile device as it is not common for a given user to be simultaneously using voice calls, and apps like Skype, FaceTime, and Google Hangouts. Therefore, reconstructing the call logs from these apps could prove to be an arduous and meticulous process.

CLOUD-BASED STORAGE APPS With cloud-based services becoming increasingly popular, apps such as Dropbox, Box, and services offered by mobile device vendors (i.e., Apple iCloud, Microsoft OneDrive, and Google Cloud Platform) offer remote storage and syncing of user data. These apps are commonly used to quickly share files over multiple synced devices and for data redundancy. From an information security perspective, data contained within these services can be vulnerable due to weak authentication protocols, weak passwords, and improper permissions issues (i.e., inadvertently making private files public). For this reason, exploitation of these services will be an avenue of current and future criminal activity. In addition, those engaged in nefarious activities such as child pornography will utilize these services to covertly acquire and share images and videos within a vetted cohort. Therefore, it is important for the ­mobile

75

76

CHAPTER 5  Mobile device forensics

forensic examiner to be well versed on “how” and “where” these devices sync. In addition, there are tools and scripts that are available to the examiner that will allow siphoning of the synced data out of apps like Dropbox. However, accessing such data on a mobile device may be challenging for the mobile forensic examiner due to the fact that the data are not actually stored on the mobile device but in the cloud. This trend seems to hint at the increasing trend of convergence of the mobile device and the personal computer – a relative “game changer” for how current digital forensic practices are performed.

CAMERA-ENABLED APPS As the technology of mobile equipment exponentially increases, so too will the capabilities of the embedded cameras on these devices. Most smart mobile devices are equipped with cameras that are capable of producing high-resolution images and true high-definition (HD) videos. In September 2015 Apple released the iPhone 6s, which was the first major mobile device to offer 4k (high-def) video embedded in the device. In addition, the front and rear-facing camera offered high-quality 12-megapixel resolution capabilities, which nearly rivals the video and image quality of a DSLR camera (AppleInsider, iOS 9 includes new iCloud Drive app, 2015). Traditionally, mobile devices offered low-resolution, low megapixel camera quality that produced highly compressed output images and video in order to save the limited amount of storage space on these devices. This poor frame rate and quality often produced poor quality video and images, and proved to be an issue when introduced as evidence of a given crime. However, this increased technology can prove to be beneficial to the mobile forensic examiner as it allows frames and detail to be captured that may have previously been overlooked or not caught at all just a few years back. Capturing of small detail such as subtle facial details and expressions and cartridge ejections from a weapon are a few of the beneficiaries of such increased enhancements. Increases in high-capacity storage media on mobile devices provide the opportunity to capture events on demand. Riots, bombings, shootings, to name a few could be caught by citizens in the vicinity of such an event and thus be utilized as evidence of a given crime. There is also the possibility of the criminal to film their misdeeds using a mobile device. Used in conjunction with previously mentioned social media and/or messaging app, this enables an investigator to analyze the behavior, interests, and motivations of a suspect or victim. One such incident occurred in August 2015 in Roanoke, VA, when former disgruntled WDBJ reporter Vester Flanagan, known on-air as Bryce Williams, shot and killed WDBJ journalists Adam Parker and Alison Ward, and wounded another (the interviewee) while doing a live, on-air segment. A few hours later, as police undertook a massive manhunt, Flanagan took to Twitter and tweeted “I filmed the shooting see Facebook” and posted videos of the shooting from his point of view on his Facebook account (Toppo, 2015). Flanagan used his mobile phone to film the account of the shooting from his perspective and the gun is visible at multiple points in the short video, Parker is seen being shot toward the end of the video. After posting the video on his Facebook account, he later tweeted to complain that

There is an app for that – forensic challenges and threats within apps

the dead reporter, who was white, was a racist and that the cameraman, also white, had filed a complaint about him with the station’s human resources department. He faxed a 23-page, expletive-ridden letter to ABC News, saying he had bought his gun and hollow-point bullets two days after the mass shootings on June 17 at a Charleston, SC, church (USA Today, 2015). Nearly five hours after the murders, Flanagan shot himself in a rental car as police finally chased him down Interstate 66. He had driven nearly 200 miles from the shooting scene near Roanoke, VA, apparently tweeting the previously mentioned messages and Facebook posts along the way (Toppo, 2015). Incidents such as the Roanoke shooting are indication that images and video captured on mobile devices are trending to be a focal source of evidence in any given mobile forensic investigation. Whether it be obtaining the multimedia content from the device itself, capturing the content from social media, or both, it is certain that mobile investigators understand the intrinsic value of such content in any given ­investigation.

LOCATION DATA AND APPS The increased capabilities of location data included in mobile devices provide the opportunity for developers to create location-aware apps that can assist users in traveling more effectively and locating places of interest, and is heavily trending in the consumer world. This can be a jackpot of potential digital evidence as investigators can track latitude and longitude coordinates coupled with date and times that can be analyzed to prove location. Many devices and apps are now supporting location services, and data can be found in a number of places on a given mobile device, which include apps that store location, databases of saved Wi-Fi access points and hotspots, and media and reminder locations stored by the device. On most mobile devices, location services are measured by the following: Service Type

Description

Global positioning system (GPS)

Satellite-based system that provides location (latitude and longitude) information as well as date and time information for a given mobile device. This is the most accurate location service of mobile devices. Based on the 802.11 standard, these include both public and private wireless access points and devices, including hotspots that might be mobile (mobile hotspots). These access points have limited range capabilities to any given mobile device (65 to 100 feet indoors) for a given access point. If signal becomes weak to the WiFi hotspot, then assisted GPS is utilized by the device to gather location information. Accuracy of Wi-Fi is less than that of GPS, but more than cell tower triangulation. Location of the mobile device is measured by calculating the power levels and antenna patterns of the mobile device, a process known as triangulation. Location of the device is based off of the connection to the closest base station (cell tower), which is more accurate in mountainous and urban areas as cell towers are closer together, and less accurate in flat areas as towers are more spread out. This is the least accurate of location-based services.

Wireless (Wi-Fi) Hotspots and access points

Base-station (cell tower) triangulation

77

78

CHAPTER 5  Mobile device forensics

Navigation-based applications such as Apple Maps and Google Maps not only store location-based information of places traveled to while using the app, but also saved directions that may have been input by the mobile device user at any given time. These saved locations usually are accompanied by timestamps within the app database that can further prove approximate location of a given device at a given point in time. In most cases, this data can be harvested from the app itself if the investigator has access to device (Bobbitt, 2009). One of the more location-aware trends is that of social media content utilizing location services to embed in social media postings made from mobile devices. Apps such as Facebook, Twitter, and Instagram have all integrated these services into postings within the app if the user chooses to enable location services for them. This can prove to be a valuable source of evidence as approximate location of where the post was made is put into the public forum. One such instance of location information proving useful is in the case of Joaquin Guzman, the Mexican drug lord known as “El Chapo” who escaped from two supermax prisons in Mexico and was evading law enforcement in August 2015. A post to an account believed to belong to El Chapo’s son, Alfredo Guzman, includes a photo of the son flanked by two unidentified men whose faces are obscured by emoticons. The mustachioed man sitting to Alfredo’s right at a restaurant resembles “El Chapo” (Sanchez, 2015). The post reads: “Satisfied here, you already know with whom.” The tweet’s location reveals Costa Rica. It is unclear whether the location tag was inadvertently left on, meant to misdirect authorities or intended to mock them. It is also not verified whether this Costa Rica is the Central American country or a town in Mexico. Location services within posts can be modified rather easily in most mobile apps such as Twitter, Instagram, or Facebook (Sanchez, 2015). For these reasons, mobile forensic examiners should not rely on these posted locations as accurate. However, this can prove to be a unique challenge to the examiner to verify such data as accurate. This may rely on “totality of the circumstances” or in other words, seeking out additional corroborating evidence that may prove location. In many cases, this could involve geotagged and/or EXIF data embedded within the images on devices.

GEOTAGGING AND EXIF DATA WITHIN APPS Many camera apps on most smart mobile devices are location aware and can tag latitudinal and longitudinal coordinates: a process known as geotagging. Geotagging refers to the process of adding geographical identification metadata to various types of media such as videos and photographs. Geotagging can help users to find a wide variety of location-specific information from a given mobile device. For instance, someone can find images taken near a given location by entering latitude and longitude coordinates into a suitable search engine (such as doing an image search in Google). Geotagging-enabled information services can also potentially be used to find location-based news, websites, or other resources (Bobbit, 2009). Geotagging can tell users the location of the content of a given picture or other media or the point

Persistent threats and challenges

FIGURE 5.1  Example of Geotagged Image Taken From an iOS Device

of view, and conversely on some media platforms show media relevant to a given location. In addition, it can also reveal what type of camera and/or mobile device was used to take a certain image. In recent years, many social media sites such as Facebook, Twitter, and Instagram have updated their API to scrub these geotags when a user uploads a photo, but other sites such as Craigslist, Backpage, and certain message boards still retain the original geotagged metadata of the media. In addition, geotagged information is most often retained in SMS text message transfers and email attachments, thus creating an additional avenue of evidence for the mobile forensic examiner (Fig. 5.1).

PERSISTENT THREATS AND CHALLENGES – WHAT LIES AHEAD FOR MOBILE DEVICE FORENSICS DATA ENCRYPTION AND STRONGER PASSWORDS Following the NSA data breach of Edward Snowden in 2013, both Apple and Google rolled out stronger and more stringent passcode and encryption standards for their respective operating systems. In a perfect world, the digital forensic examiner would desire to encounter a mobile device with no passcode, thus making it easy to extract information from the device. According to a 2013 global survey by McAfee and One Poll, 64 percent of consumers passcode protect their devices (Siciliano,  2013). In order for any forensic tool to successfully extract and decrypt all data in most cases, a successful passcode bypass must be achieved. In the case of iOS devices, passcodes fall into two succinct categories: simple and complex. Traditionally, iOS devices defaulted to a 4-digit alphanumeric passcode. The introduction of iOS 9 in September 2015, however, began supporting 6-digit passcodes by default (AppleInsdier, iOS 9 includes new iCloud Drive app, 2015).

79

80

CHAPTER 5  Mobile device forensics

This change, in some cases, rendered some commonly used passcode bypass methods in the forensic community obsolete. Mobile forensic extraction tools should be able to bypass and reveal a simple passcode automatically for most iOS devices, with newer iterations of iOS devices allowing bypass if trust certificates are obtained, even if a longer alphanumeric passcode exists (Engler, 2013). Trust certificates are generated when an iOS device is synced to a particular PC, thus allowing the user to sync data from that device via iTunes. Following the passcode extraction process, it will be possible to extract and decrypt all data, including protected files; however, in some cases, it may be impossible for the examiner to locate trust certificates, thus making passcode bypass challenging. This may require a different, and more timeconsuming approach such as chip-off or JTAG, which require advanced expertise and training by the examiner. For many Android devices, swipe passwords can be bypassed insomuch as USBdebugging is turned on within the phone. However, many users do not enable this setting as it is considered a developer option and is often hidden within the operating system (Engler, 2013). For the mobile forensic examiner, this may prove to be a challenge as it requires seeking out an alternative, and more time-consuming method of bypass. The future threat, in many respects, to the passcode and encryption bypass exists in future upgrades to mobile operating system itself. It can be implied that patch and version upgrades are issued to fix security holes and exploits, which in some cases, is exploited by the mobile forensic tools to extract data from a given device. In the case of Android, it is unusual for operating systems to be upgraded on the device, while Apple pushes out version and patch upgrades automatically to its users on all supported versions of the device (Engler, 2013).

“BURNER” AND CHINESE PHONES Prepaid “burner” phones, defined as cheap mobile devices that are used for a short period of time or for a particular purpose, then tossed away by the user, have been a problem for some time, in particularly law enforcement. This is due to the fact that in many cases the disabled data port on these devices cannot be enabled, and vendors do not make their own and/or have access to the devices’ APIs, which is the normal mode by which mobile forensic extractions are completed and made available to commercial forensic extraction tools’ developers (Engler, 2013). In addition, “knock-off” phones manufactured overseas also pose a threat to analysis due to their proprietary nature and overall lack of documentation, both from the software and hardware perspective. For example, iPhone devices manufactured as knock-offs in China may look and even operate like a legitimate iOS device, but closer inspection may reveal that the data connection is a USB connection rather than the standard lightening connection used by Apple. In addition, the operating system may be so proprietary in nature that even if a data connection is established, no tool or forensic process can read it. This leaves the tedious option of either JTAG and/or chip-off analysis (Fig. 5.2) (Engler, 2013).

Persistent threats and challenges

FIGURE 5.2  Example of a Chinese Burner Phone in Comparison to an iOS Device

JTAG AND CHIPOFF ANALYSIS – ADVANTAGES, CHALLENGES, AND THREATS Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Forensic acquisition of a particular mobile device utilizing the JTAG method usually involves connecting to the standard test access port (TAP) on a device and instructing the processor to transfer the raw data stored on connected memory chips (a process known in slang terms as j-tagging). J-tagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means (Forensicswiki, JTAG Forensics, 2015). In addition, JTAG requires a high-level of examiner knowledge and training, which can prove to be somewhat expensive. In addition, the equipment used to read the raw data only supports a limited number of devices per box, thus requiring multiple boxes to read data from the various chipsets extracted by the procedure. In addition, there are few publically available best practice guides for this procedure, mainly due to the fact that the JTAG procedure itself is constantly evolving and follows a different extraction procedure from device to device. This, in itself, makes it difficult and time-consuming for mobile forensic examiners. Moreover, decoding of

81

82

CHAPTER 5  Mobile device forensics

acquired raw data may be difficult, if not, impossible to decode. However, it is still a highly favored avenue of forensic analysis and is gaining popularity in the mobile forensic community, as traditional extraction methods become obsolete and yield unfruitful results. Chip-off forensics is an advanced digital data extraction and analysis technique which involves physically removing flash memory chip(s) from a mobile device and then acquiring the raw data using specialized equipment. Chip-off forensics is a powerful capability that allows a mobile forensic examiner to collect a complete physical image of nearly any device, even those which have suffered catastrophic damage such as fire or water damage. Although extremely useful to examiners, chip-off does carry its own challenges. Chip-off is destructive to the device and in some cases renders it inoperable after the process is complete (Binaryintel, Chip-Off Forensics, 2015). In addition, chip-off requires a high level of training and working knowledge by the examiner, which like JTAG can prove to be costly in terms of training and equipment. Also, decoding raw data from captures might prove to be challenging without the right tools and software, and the raw output from these captures may change from version to version, making it even more difficult to interpret and extract forensic evidentiary data. As microchips evolve in these mobile devices, so too will the challenges that persist in finding effective methods to remove and/or analyze such chips.

VALIDATION AND BEST PRACTICES OF MOBILE FORENSIC TOOLS AND METHODS – THE FORENSIC ENIGMA One of the more persistent challenges faced by mobile forensic examiners as of late is properly validating the forensic tools and procedures that are used on a day-today basis. Many examiners throughout the United States and world work in digital forensic laboratories that are accredited by either ISO 17025 or 17020, which is a common accreditation standard for forensic testing and forensic evaluation laboratories. Both of these accreditation requirements state that any method used within the laboratory setting must first be validated before use. This may prove to be difficult as mobile forensic processes and tools are constantly changing and updating with each new hardware and software version upgrade of a specific mobile device. In addition, in the case of JTAG, the process might be slightly different from device to device, although the same equipment is used for the investigation of the different mobile devices. Traditionally, the science of digital forensics is founded on the principles of repeatable processes and quality evidence. As the field of digital forensics continues to grow and evolve as a science, the importance of proper scientific validation will be more important than ever. This involves mobile examiners drafting validation test plans that outline the key functions of a particular tool or methodology (i.e., JTAG or chip-off) and testing those functions against a known dataset (Brunty, 2015). Validations must be repeatable and reproducible and, as such, may pose a significant threat to examiners tasked with such casework. Unlike other forensic science disciplines such as DNA, which follow uniform procedures and thus, can somewhat easily

References

validate a method, mobile device forensics are working with methods which may significantly change by the month due to the simple fact that vendors are constantly updating hardware and software. This leads to the inherent challenge of maintaining uniform best practices and standard operating procedures (SOPs) for mobile device forensics. The National Institute of Standards and Technology (NIST) has published publication 800-11 Guidelines of Mobile Device Forensics, which outlines basic procedures to successfully perform a mobile forensics investigation (Ayers et al., 2013). In addition, the Scientific Working Group on Digital Evidence (http://swgde.org) has also published a Best Practices for Mobile Phone Forensics (2015), which provides a general overview of common terminology and procedures and methods used in the mobile device forensics field. Due to the rapid and changing nature of mobile device forensics, much of the verbiage in these documents is wide-ranging so as to anticipate rapid changes that may occur to how a certain device is examined after a new updated is realized by the vendor.

CONCLUSION Emerging mobile device technologies, especially those occurring in smart devices, have driven substantial progress and unparalleled growth in the field of mobile device forensics, but not without creating challenges and pitfalls to developers and those examining the devices alike. As these challenges show up and continue to persist on the mobile device forensics scene, so too will the mobile examiners’ methodologies be applied and reformed to counteract and effectively examine these mobile devices in a forensically sound manner.

REFERENCES Ayers, R., Brothers, S., & Jansen, W. (2013). Guidelines on Mobile Device Forensics NIST Publication 800-101. Retrieved September 10, 2015 from: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf. Best Practices for Mobile Phone Forensics. Scientific Working Group on Digital Evidence (SWGDE). Retrieved September 10, 2015 from https://www.swgde.org/documents/Current%20Documents/2013-02-11%20SWGDE%20Best%20Practices%20for%20Mobile%20Phone%20Forensics%20V2-0. Bobbitt, R. (2009). Photographers Have Several Camera Options for Geotagging Pictures with GPS Points. Directions Magazine. September 28, 2009. Retrieved September 10, 2015 from http://www.directionsmag.com/entry/photographers-have-several-camera-options-for-geotagging-pictures-with-gps-/122479. Brunty, J. “Windows 8 A Forensic First Look.” Digital Forensic Investigator (DFI). 2012(2). Retrieved September 10, 2015 from http://www.forensicmag.com/articles/2011/03/validation-forensic-tools-and-software-quick-guide-digital-forensic-examiner. Carsten, P. (2015). Apple Hack Exposes Flaws in building apps in China. Reuters. September 23, 2015. Accessed September 23, 2015 from http://www.reuters.com/article/2015/09/23/ us-apple-china-cybersecurity-idUSKCN0RN07W20150923.

83

84

CHAPTER 5  Mobile device forensics

Chip-Off Forensics. Binary Intelligence. Accessed September 10, 2015 from http://www.binaryintel.com/services/jtag-chip-off-forensics/chip-off_forensics/. Engler, R. (2013). 6 Persistent Challenges with Smartphone Forensics. Forensic Magazine. February 8, 2013. Retrieved September 10, 2015 from http://www.forensicmag.com/ articles/2013/02/6-persistent-challenges-smartphone-forensics. Fighting Crime with the Periscope App. H11 Digital Forensics. Accessed September 10, 2015 from https://www.h11dfs.com/periscope/. Finkle, J. (2015). Apple’s iOS App Store suffers first major attack. Reuters. September 20, 2015. Retrieved September 23, 2015 from https://www.yahoo.com/tech/s/malware-hitschinese-apps-apple-app-store-cyber-191855815.html. Franzen, C. (2015). Watching People Snort Cocaine on Periscope Is Just the Beginning. Motherboard Magazine. April 6, 2015. Accessed September 10, 2015 from http://motherboard.vice.com/read/watching-people-snort-cocaine-on-periscope-is-just-the-beginning. Gartner Media. The Myths of Hackproof Smartphone Operating Systems. December 8, 2014. Accessed September 10, 2015. http://caps.fool.com/Blogs/the-myths-of-hackproof/1018247. Hein, B. (2014). Meet the police forensic tool pervs used to steal celebrity iCloud nude photos. Cult of Mac. September 2, 2014. Accessed September 10, 2015 from http://www. cultofmac.com/293620/police-forensic-tool-made-iclouds-celebrity-nudes-leak-possible/. iOS 9 includes new iCloud Drive app, 6-digit passcode, shift button fix and more AppleInsider. September 18, 2015. Accessed September 23, 2015 from http://appleinsider.com/ articles/15/09/18/first-look-ios-9s-icloud-drive-app-6-digit-passcode-shift-button-fixand-more. JTAG Forensics. Forensics Wiki. Accessed September 10, 2015 from http://forensicswiki.org/ wiki/JTAG_Forensics. Lunden, I., & Tsotsis, A. (2014). Snapchat Has Raised $485 Million More From 23 Investors, At Valuation of up to $20B. December 31, 2014. Accessed September 10, 2015 from http://techcrunch.com/2014/12/31/snapchat-485m/. Mejia, B. (2015). Men using Periscope broadcast their plan to hurt someone, get arrested. Los Angeles Times. August 31, 2015. Accessed September 10, 2015 from http://www.latimes. com/local/lanow/la-me-ln-criminal-activity-broadcast-on-periscope-leads-to-arrest-oftwo-20150831-story.html. Mobile Technology Fact Sheet. Pew Internet Research. Accessed September 10, 2015 from http://www.pewinternet.org/fact-sheets/mobile-technology-fact-sheet/. Sanchez, R. (2015). Did ‘El Chapo’ Guzman’s son tweet fugitive’s location? CNN. September 7, 2015. Accessed September 10, 2015 from http://www.cnn.com/2015/09/05/world/ mexico-el-chapo-guzman-tweet/. Siciliano, R. (2013). More Than 30% of People Don’t Password Protect Their Mobile Devices. McAfee Blog Central. February 24, 2013. Accessed September 10, 2015 from https:// blogs.mcafee.com/consumer/unprotected-mobile-devices/. Toppo, G. (2015). Shooter filmed his gruesome act, then posted video to Facebook. USA Today. (August 27, 2015). Accessed September 10, 2015 from http://www.usatoday. com/story/news/2015/08/26/virginia-shooting-live-tv/32433013/.